State surveillance has been much publicised of late due to Snowden’s revelations, but allegations against the NSA and GCHQ are only one aspect of the international industry surrounding wholesale surveillance. Another growing concern is the emergence and growth of private sector surveillance firms selling intrusion software to governments and government agencies around the world.
Not restricted by territorial borders and globalised like every other tradable commodity, buyers and sellers pockmark the globe. Whether designed to support law enforcement or anti-terrorism programmes, intrusion software, enabling states to monitor, block, filter or collect online communication, is available for any government willing to spend the capital. Indeed, there is money to be made – according to Privacy International, the “UK market for cyber security is estimated to be worth approximately £2.8 billion.”
The table below, collated from a range of sources including Mother Jones, the Electronic Frontier Foundation, Bloomberg, Human Rights Watch, Citizen Lab, Privacy International and Huffington Post, shows the flow of intrusion software around the world.
|Surveillance Company||Country of Origin||Alleged Countries of Use|
|VASTech||South Africa||Libya (137)|
|Hacking Team||Italy||Azerbaijan (160), Egypt (159), Ethiopia (143), Kazakhstan (161), Malaysia (147), Nigeria (112), Oman (134), Saudi Arabia (164), Sudan (172), Turkey (154), Uzebekistan (166)|
|Elbit Systems||Israel||Israel (96)|
|Creative Software||UK||Iran (173)|
|Gamma TSE||UK||Indonesia (132)|
|Narus||USA||Egypt (159), Pakistan (158), Saudi Arabia (164)|
|Cellusys Ltd||Ireland||Syria (177)|
|Adaptive Mobile Security Ltd||Ireland||Syria (177), Iran (173)|
|Blue Coat Systems||USA||Syria (177)|
|FinFisher GmbH||Germany||Egypt (159), Ethiopia (143)|
Note: The numbers alongside the alleged countries of use are the country’s ranking from 2014 Reporters without Borders World Press Freedom Index 2014.
While by no means complete, this list is indicative of three things. There is a clear divide, in terms of economic development, between the buyer and seller countries; many of the countries allegedly purchasing intrusion software are in the midst of, or emerging from, conflict or internal instability; and, with the exception of Israel, every buyer country ranks in the lower hundred of the latest World Press Freedom Index.
The alleged legitimacy of this software in terms of law enforcement ignores the potential to use these tools for strictly political ends. Human Rights Watch outlined in its recent report the case of Tadesse Kersmo, an Ethiopian dissident living in London. Due to his prominent position in opposition party, Ginbot 7 it was discovered that his personal computer had traces of FinFisher’s intrusion software, FinSpy, jeopardising the anonymity and safety of those in Ethiopia he has been communicating with. There is no official warrant out for his arrest and at the time of writing there is no known reason in terms of law enforcement or anti-terrorism legislation, outside of his prominence in an opposition party, for his surveillance. It is unclear whether this is part of an larger organised campaign against dissidents in both Ethiopia and the diaspora, but similar claims have been filed against the Ethiopian government on behalf of individuals in the US and Norway.
FinFisher GmbH states on its website that “they target individual suspects and can not be used for mass interception.” Without further interrogation into the end-use of its customers, there is nothing available to directly corroborate or question this statement. But to what extent are private firms responsible for the use of its software by its customers and how robustly can they monitor the end-use of its customers?
In the US Electronic Code of Federal Regulations, there is a piece of guidance entitled Know Your Customer. This outlines steps to be undertaken by firms to identify what the end-use of its products is. This is a proactive process, placing the responsibility firmly with the seller to clearly identify and act on abnormal circumstances, or ‘red flags’. The guidance clearly states that the seller has a “duty to check out the suspicious circumstances and inquire about the end-use, end-user, or ultimate country of destination.”
Hacking Team has sold software, most notably the Remote Control System (RCS) to a number of countries around the world (see above). Citizen Lab, based out of the University of Toronto, has identified 21 countries that have potentially used this software, including Egypt and Ethiopia. In its customer policy, Hacking Team outlines in detail the lengths it goes to verify the end-use and end-user of RCS. Mentioning the above guidelines, Hacking Team have put into practice an oversight process involving a board of external engineers and lawyers who can veto sales, research of human rights reports, as well as a process that can disable functionality if abuses come to light after the sale.
However, Hacking Team goes a long way to obscure the identity of countries using RCS. Labelled as untraceable, RCS has established a “Collection Infrastructure” that utilises a chain of proxies around the world that shields the user country from further scrutiny. The low levels of media freedom in the countries purportedly utilising RCS, the lack of transparency in terms of the oversight process including the make-up of the board and its research sources, as well as the reluctance of Hacking Team to identify the countries it has sold RCS to undermines the robustness of such due diligence. In the words of Citizen Lab: “we have encountered a number of cases where bait content and other material are suggestive of targeting for political advantage, rather than legitimate law enforcement operations.”
Many of the firms outline their adherence to the national laws of the country they sell software to when defending their practices. But without international guidelines and alongside the absence of domestic controls and legislation protecting the population against mass surveillance, intrusion software remains a useful, if expensive, tool for governments to realise and cement their control of the media and other fundamental freedoms.
Perhaps the best way of thinking of corporate responsibility in terms of intrusion software comes from Adds Jouejati of the Local Coordination Committees in Syria, “It’s like putting a gun in someone’s hand and saying ‘I can’t help the way the person uses it.’”